source-git / ansible-freeipa

Clone
Source Code
GIT

Blame roles/ipaclient/library/ipaclient_test_keytab.py

c8 c8s master
  1.   0cfb78a6b56eb323102ba4582119b0e687abb7f2
  2.   roles
  3.   ipaclient
  4.   library
  5.   ipaclient_test_keytab.py
Blob History Raw
Packit Service 0a38ef 
# -*- coding: utf-8 -*-
Packit Service 0a38ef
Packit Service 0a38ef 
# Authors:
Packit Service 0a38ef 
#   Thomas Woerner <twoerner@redhat.com>
Packit Service 0a38ef 
#
Packit Service 0a38ef 
# Based on ipa-client-install code
Packit Service 0a38ef 
#
Packit Service 0a38ef 
# Copyright (C) 2017  Red Hat
Packit Service 0a38ef 
# see file 'COPYING' for use and warranty information
Packit Service 0a38ef 
#
Packit Service 0a38ef 
# This program is free software; you can redistribute it and/or modify
Packit Service 0a38ef 
# it under the terms of the GNU General Public License as published by
Packit Service 0a38ef 
# the Free Software Foundation, either version 3 of the License, or
Packit Service 0a38ef 
# (at your option) any later version.
Packit Service 0a38ef 
#
Packit Service 0a38ef 
# This program is distributed in the hope that it will be useful,
Packit Service 0a38ef 
# but WITHOUT ANY WARRANTY; without even the implied warranty of
Packit Service 0a38ef 
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
Packit Service 0a38ef 
# GNU General Public License for more details.
Packit Service 0a38ef 
#
Packit Service 0a38ef 
# You should have received a copy of the GNU General Public License
Packit Service 0a38ef 
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
Packit Service 0a38ef
Packit Service 0a38ef 
ANSIBLE_METADATA = {
Packit Service 0a38ef 
    'metadata_version': '1.0',
Packit Service 0a38ef 
    'supported_by': 'community',
Packit Service 0a38ef 
    'status': ['preview'],
Packit Service 0a38ef 
}
Packit Service 0a38ef
Packit Service 0a38ef 
DOCUMENTATION = '''
Packit Service 0a38ef 
---
Packit Service 0a38ef 
module: ipaclient_test_keytab
Packit Service 0a38ef 
short description:
Packit Service 0a38ef 
  Test if the krb5.keytab on the machine is valid and can be used.
Packit Service 0a38ef 
description:
Packit Service 0a38ef 
  Test if the krb5.keytab on the machine is valid and can be used.
Packit Service 0a38ef 
  A temporary krb5.conf file will be generated to not fail on an invalid one.
Packit Service 0a38ef 
options:
Packit Service 0a38ef 
  servers:
Packit Service 0a38ef 
    description: Fully qualified name of IPA servers to enroll to
Packit Service 0a38ef 
    required: no
Packit Service 0a38ef 
  domain:
Packit Service 0a38ef 
    description: Primary DNS domain of the IPA deployment
Packit Service 0a38ef 
    required: no
Packit Service 0a38ef 
  realm:
Packit Service 0a38ef 
    description: Kerberos realm name of the IPA deployment
Packit Service 0a38ef 
    required: no
Packit Service 0a38ef 
  hostname:
Packit Service 0a38ef 
    description: Fully qualified name of this host
Packit Service 0a38ef 
    required: no
Packit Service 0a38ef 
  kdc:
Packit Service 0a38ef 
    description: The name or address of the host running the KDC
Packit Service 0a38ef 
    required: no
Packit Service 0a38ef 
  kinit_attempts:
Packit Service 0a38ef 
    description: Repeat the request for host Kerberos ticket X times
Packit Service 0a38ef 
    required: yes
Packit Service 0a38ef 
author:
Packit Service 0a38ef 
    - Thomas Woerner
Packit Service 0a38ef 
'''
Packit Service 0a38ef
Packit Service 0a38ef 
EXAMPLES = '''
Packit Service 0a38ef 
# Test IPA with local keytab
Packit Service 0a38ef 
- name: Test IPA in force mode with maximum 5 kinit attempts
Packit Service 0a38ef 
  ipaclient_test_keytab:
Packit Service 0a38ef 
    servers: ["server1.example.com","server2.example.com"]
Packit Service 0a38ef 
    domain: example.com
Packit Service 0a38ef 
    realm: EXAMPLE.COM
Packit Service 0a38ef 
    kdc: server1.example.com
Packit Service 0a38ef 
    hostname: client1.example.com
Packit Service 0a38ef 
    kinit_attempts: 5
Packit Service 0a38ef
Packit Service 0a38ef 
# Test IPA with ipadiscovery return values
Packit Service 0a38ef 
- name: Join IPA
Packit Service 0a38ef 
  ipaclient_test_keytab:
Packit Service 0a38ef 
    servers: "{{ ipadiscovery.servers }}"
Packit Service 0a38ef 
    domain: "{{ ipadiscovery.domain }}"
Packit Service 0a38ef 
    realm: "{{ ipadiscovery.realm }}"
Packit Service 0a38ef 
    kdc: "{{ ipadiscovery.kdc }}"
Packit Service 0a38ef 
    hostname: "{{ ipadiscovery.hostname }}"
Packit Service 0a38ef 
'''
Packit Service 0a38ef
Packit Service 0a38ef 
RETURN = '''
Packit Service 0a38ef 
krb5_keytab_ok:
Packit Service 0a38ef 
  description: The flag describes if krb5.keytab on the host is usable.
Packit Service 0a38ef 
  returned: always
Packit Service 0a38ef 
  type: bool
Packit Service 0a38ef 
ca_crt_exists:
Packit Service 0a38ef 
  description: The flag describes if ca.crt exists.
Packit Service 0a38ef 
  returned: always
Packit Service 0a38ef 
krb5_conf_ok:
Packit Service 0a38ef 
  description: The flag describes if krb5.conf on the host is usable.
Packit Service 0a38ef 
  returned: always
Packit Service 0a38ef 
  type: bool
Packit Service 0a38ef 
ping_test_ok:
Packit Service 0a38ef 
  description: The flag describes if ipa ping test succeded.
Packit Service 0a38ef 
  returned: always
Packit Service 0a38ef 
  type: bool
Packit Service 0a38ef 
'''
Packit Service 0a38ef
Packit Service 0a38ef 
import os
Packit Service 0a38ef 
import tempfile
Packit Service 0a38ef
Packit Service 0a38ef 
from ansible.module_utils.basic import AnsibleModule
Packit Service 0a38ef 
from ansible.module_utils.ansible_ipa_client import (
Packit Service 0a38ef 
    setup_logging,
Packit Service 0a38ef 
    SECURE_PATH, paths, kinit_keytab, run, GSSError, configure_krb5_conf
Packit Service 0a38ef 
)
Packit Service 0a38ef
Packit Service 0a38ef
Packit Service 0a38ef 
def main():
Packit Service 0a38ef 
    module = AnsibleModule(
Packit Service 0a38ef 
        argument_spec=dict(
Packit Service 0a38ef 
            servers=dict(required=True, type='list'),
Packit Service 0a38ef 
            domain=dict(required=True),
Packit Service 0a38ef 
            realm=dict(required=True),
Packit Service 0a38ef 
            hostname=dict(required=True),
Packit Service 0a38ef 
            kdc=dict(required=True),
Packit Service 0a38ef 
            kinit_attempts=dict(required=False, type='int', default=5),
Packit Service 0a38ef 
        ),
Packit Service 0a38ef 
        supports_check_mode=True,
Packit Service 0a38ef 
    )
Packit Service 0a38ef
Packit Service 0a38ef 
    module._ansible_debug = True
Packit Service 0a38ef 
    setup_logging()
Packit Service 0a38ef
Packit Service 0a38ef 
    servers = module.params.get('servers')
Packit Service 0a38ef 
    domain = module.params.get('domain')
Packit Service 0a38ef 
    realm = module.params.get('realm')
Packit Service 0a38ef 
    hostname = module.params.get('hostname')
Packit Service 0a38ef 
    kdc = module.params.get('kdc')
Packit Service 0a38ef 
    kinit_attempts = module.params.get('kinit_attempts')
Packit Service 0a38ef
Packit Service 0a38ef 
    client_domain = hostname[hostname.find(".")+1:]
Packit Service 0a38ef 
    host_principal = 'host/%s@%s' % (hostname, realm)
Packit Service 0a38ef 
    sssd = True
Packit Service 0a38ef
Packit Service 0a38ef 
    # Remove IPA_DNS_CCACHE remain if it exists
Packit Service 0a38ef 
    try:
Packit Service 0a38ef 
        os.remove(paths.IPA_DNS_CCACHE)
Packit Service 0a38ef 
    except OSError:
Packit Service 0a38ef 
        pass
Packit Service 0a38ef
Packit Service 0a38ef 
    krb5_keytab_ok = False
Packit Service 0a38ef 
    krb5_conf_ok = False
Packit Service 0a38ef 
    ping_test_ok = False
Packit Service 0a38ef 
    ca_crt_exists = os.path.exists(paths.IPA_CA_CRT)
Packit Service 0a38ef 
    env = {'PATH': SECURE_PATH, 'KRB5CCNAME': paths.IPA_DNS_CCACHE}
Packit Service 0a38ef
Packit Service 0a38ef 
    # First try: Validate krb5 keytab with system krb5 configuraiton
Packit Service 0a38ef 
    try:
Packit Service 0a38ef 
        kinit_keytab(host_principal, paths.KRB5_KEYTAB,
Packit Service 0a38ef 
                     paths.IPA_DNS_CCACHE,
Packit Service 0a38ef 
                     config=paths.KRB5_CONF,
Packit Service 0a38ef 
                     attempts=kinit_attempts)
Packit Service 0a38ef 
        krb5_keytab_ok = True
Packit Service 0a38ef 
        krb5_conf_ok = True
Packit Service 0a38ef
Packit Service 0a38ef 
        # Test IPA
Packit Service 0a38ef 
        try:
Packit Service 0a38ef 
            result = run(["/usr/bin/ipa", "ping"], raiseonerr=False, env=env)
Packit Service 0a38ef 
            if result.returncode == 0:
Packit Service 0a38ef 
                ping_test_ok = True
Packit Service 0a38ef 
        except OSError:
Packit Service 0a38ef 
            pass
Packit Service 0a38ef 
    except GSSError:
Packit Service 0a38ef 
        pass
Packit Service 0a38ef
Packit Service 0a38ef 
    # Second try: Validate krb5 keytab with temporary krb5
Packit Service 0a38ef 
    # configuration
Packit Service 0a38ef 
    if not krb5_conf_ok:
Packit Service 0a38ef 
        try:
Packit Service 0a38ef 
            (krb_fd, krb_name) = tempfile.mkstemp()
Packit Service 0a38ef 
            os.close(krb_fd)
Packit Service 0a38ef 
            configure_krb5_conf(
Packit Service 0a38ef 
                cli_realm=realm,
Packit Service 0a38ef 
                cli_domain=domain,
Packit Service 0a38ef 
                cli_server=servers,
Packit Service 0a38ef 
                cli_kdc=kdc,
Packit Service 0a38ef 
                dnsok=False,
Packit Service 0a38ef 
                filename=krb_name,
Packit Service 0a38ef 
                client_domain=client_domain,
Packit Service 0a38ef 
                client_hostname=hostname,
Packit Service 0a38ef 
                configure_sssd=sssd,
Packit Service 0a38ef 
                force=False)
Packit Service 0a38ef
Packit Service 0a38ef 
            try:
Packit Service 0a38ef 
                kinit_keytab(host_principal, paths.KRB5_KEYTAB,
Packit Service 0a38ef 
                             paths.IPA_DNS_CCACHE,
Packit Service 0a38ef 
                             config=krb_name,
Packit Service 0a38ef 
                             attempts=kinit_attempts)
Packit Service 0a38ef 
                krb5_keytab_ok = True
Packit Service 0a38ef
Packit Service 0a38ef 
                # Test IPA
Packit Service 0a38ef 
                env['KRB5_CONFIG'] = krb_name
Packit Service 0a38ef 
                try:
Packit Service 0a38ef 
                    result = run(["/usr/bin/ipa", "ping"], raiseonerr=False,
Packit Service 0a38ef 
                                 env=env)
Packit Service 0a38ef 
                    if result.returncode == 0:
Packit Service 0a38ef 
                        ping_test_ok = True
Packit Service 0a38ef 
                except OSError:
Packit Service 0a38ef 
                    pass
Packit Service 0a38ef
Packit Service 0a38ef 
            except GSSError:
Packit Service 0a38ef 
                pass
Packit Service 0a38ef
Packit Service 0a38ef 
        finally:
Packit Service 0a38ef 
            try:
Packit Service 0a38ef 
                os.remove(krb_name)
Packit Service 0a38ef 
            except OSError:
Packit Service 0a38ef 
                module.fail_json(msg="Could not remove %s" % krb_name)
Packit Service 0a38ef
Packit Service 0a38ef 
    module.exit_json(changed=False,
Packit Service 0a38ef 
                     krb5_keytab_ok=krb5_keytab_ok,
Packit Service 0a38ef 
                     krb5_conf_ok=krb5_conf_ok,
Packit Service 0a38ef 
                     ca_crt_exists=ca_crt_exists,
Packit Service 0a38ef 
                     ping_test_ok=ping_test_ok)
Packit Service 0a38ef
Packit Service 0a38ef
Packit Service 0a38ef 
if __name__ == '__main__':
Packit Service 0a38ef 
    main()

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation